Ivanti Endpoint Manager Mobile instances in cloud environments impacted by the authenticated bypass flaw, tracked as CVE-2025-4427, and the post-authentication remote code execution issue, tracked as CVE-2025-4428, have been subjected to ongoing attacks since Friday, following the initial targeting of on-premises implementations, The Register reports.
Intrusions leveraging the open-source library-associated vulnerabilities have led to the deployment of multiple payloads, including the widely used Sliver remote access program, which guarantees persistence in targeted systems for further compromise, according to findings from Wiz Research. Additional analysis revealed unprotected Java Expression Language and Spring processing within the open-source libraries linked to both bugs, with Wiz researchers noting that the IP address leveraged in the intrusions had a TLS certificate that has been maintained since November. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," said Wiz researchers. Such a development comes after both Ivanti EPMM defects were added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
Intrusions leveraging the open-source library-associated vulnerabilities have led to the deployment of multiple payloads, including the widely used Sliver remote access program, which guarantees persistence in targeted systems for further compromise, according to findings from Wiz Research. Additional analysis revealed unprotected Java Expression Language and Spring processing within the open-source libraries linked to both bugs, with Wiz researchers noting that the IP address leveraged in the intrusions had a TLS certificate that has been maintained since November. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," said Wiz researchers. Such a development comes after both Ivanti EPMM defects were added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
